A supposed 7-Zip zero-day is actually an AI hoax
- Twitter user posts alleged zero-day exploit for 7-Zip software
- However, the creator of 7-Zip quickly debunked the error
- Igor Pavlov says AI hallucination is to blame, and mistakes aren’t legitimate
As a New Year’s gift, a Twitter user posted details of a zero-day exploit in the popular file compression software 7-Zip, but its creator, Igor Pavlov, quickly debunked it as an AI hoax.
“The overall conclusion is that this fake Twitter exploit code was generated by LLM (AI),” he began comments on software repository Sourceforge.net (via Tom’s hardware).
Pavlov further suggested that the exploit code is essentially the product of an LLM hallucination – an AI making things up, which has become a common occurrence with the increasing popularity of AI.
Hallucination with 7-Zip exploit code
“The comment in the ‘fake’ code contains the statement: ‘This exploit targets a vulnerability in the LZMA decoder of the 7-Zip software. It uses a crafted .7z archive with a malformed LZMA -stream to avoid a buffer overflow in the RC_NORM function.'”
“But there is no RC_NORM function in (the) LZMA decoder. Instead, 7-Zip includes the RC_NORM macro in the LZMA encoder and PPMD decoder. So the LZMA decoding code does not call RC_NORM. And the statement about RC_NORM in the exploit comment is false.”
We have no reason not to believe that what Pavlov says is true: 7-Zip is open source to begin with, so anyone can verify his claims.
And while we’re not going to name the Twitter user responsible for spreading the rumor, or post a link to the tweet, we’d say it sounds like a cowardly attempt to grab attention on the Internet – unthinkable, that we know – considering the user claims to be holding a weeklong reveal of software 0-days as “thanks to all the new followers.”
It seems like the stormiest teacup imaginable, but maybe you’ll hear from us again in a week.